SameSite: none
似乎不适合我。 samesite
lax
使用我的应用程序中的 cookie,但我无法从谷歌分析等找到支持外部 cookie 的配置。
Firefox 中没有关于
SameSite
外部 cookie 的警告。
config.hsts = "max-age=#{2.years.to_i}"
config.x_content_type_options = "nosniff"
config.referrer_policy = "origin-when-cross-origin"
config.csp = {
default_src: %w('self'),
font_src: %w('self' data:),
img_src: %w('self' data: https://myapp.mydomain.com),
object_src: %w('none'),
script_src: %w('self' 'unsafe-inline' 'unsafe-eval' *.nr-data.net *.google-analytics.com *.googletagmanager.com *.newrelic.com blob:),
style_src: %w('self' 'unsafe-inline'),
worker_src: %w('self' 'unsafe-inline' blob:),
connect_src: %w('self' *.nr-data.net *.google-analytics.com *.googletagmanager.com *.newrelic.com)
}
config.cookies = {
secure: true,
httponly: true,
samesite: {
lax: { only: ['_myapp_session'] },
none: { only: ['_ga', '_gid', '_gat', '_ga_XXXXXXXXX'] }
}
}
end
在 Firefox 控制台中:
Cookie “_ga” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite [analytics.js:27:576](https://www.google-analytics.com/analytics.js)
Cookie “_gid” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite [analytics.js:27:576](https://www.google-analytics.com/analytics.js)
Cookie “_gat” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite [analytics.js:27:576](https://www.google-analytics.com/analytics.js)
Cookie “_ga_VKH9NH625Z” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite```
And
```Request to access cookie or storage on “<URL>” was blocked because it came from a tracker and content blocking is enabled. 8
Request to access cookie or storage on “https://js-agent.newrelic.com/async-api.30bd804e-1.236.0.min.js” was blocked because it came from a tracker and content blocking is enabled.
Request to access cookie or storage on “https://js-agent.newrelic.com/860.03a8b7a5-1.236.0.min.js” was blocked because it came from a tracker and content blocking is enabled.
Request to access cookie or storage on “https://js-agent.newrelic.com/session-manager.2a64278a-1.236.0.min.js” was blocked because it came from a tracker and content blocking is enabled.
Request to access cookie or storage on “https://js-agent.newrelic.com/lazy-feature-loader.2f55ce66-1.236.0.min.js” was blocked because it came from a tracker and content blocking is enabled.
Request to access cookie or storage on “https://js-agent.newrelic.com/148.1a20d5fe-1.236.0.min.js” was blocked because it came from a tracker and content blocking is enabled.
Request to access cookie or storage on “https://js-agent.newrelic.com/page_view_event-aggregate.06482edd-1.236.0.min.js” was blocked because it came from a tracker and content blocking is enabled.
Request to access cookie or storage on “https://js-agent.newrelic.com/page_view_timing-aggregate.bd6de33a-1.236.0.min.js” was blocked because it came from a tracker and content blocking is enabled.
Request to access cookie or storage on “https://js-agent.newrelic.com/metrics-aggregate.3dc53903-1.236.0.min.js” was blocked because it came from a tracker and content blocking is enabled.```
### Generated headers
Set-Cookie:
`_myapp_session=BAh7C0kiD3Nlc3Npb25faWQGOgZFVEkiJTMxYzY3ODY3ODlmZjI1MTE5YzJjYTBjMTk4NWE5MDZhBjsAVEkiC2xvY2FsZQY7AEY6B3BsSSIZd2FyZGVuLnVzZXIudXNlci5rZXkGOwBUWwdbBmkCgQVJIiIkMmEkMTAkZFRqWHZVRGYwYS9GSVgyUUhveERKTwY7AFRJIhRzaG93X25ld3NfbW9kYWwGOwBGRkkiEF9jc3JmX3Rva2VuBjsARkkiMWIxOHdvUHJmQ0ljVkV1RmpXVXlscm0waTc4MXo0U2NwMDlqV045RHArdXM9BjsARkkiCmZsYXNoBjsAVG86JUFjdGlvbkRpc3BhdGNoOjpGbGFzaDo6Rmxhc2hIYXNoCToKQHVzZWRvOghTZXQGOgpAaGFzaH0ARjoMQGNsb3NlZEY6DUBmbGFzaGVzewY6CmFsZXJ0SSIdSmVzdGXFmyBqdcW8IHphbG9nb3dhbnkuBjsAVDoJQG5vdzA%3D--b34405b4ed7a5af671742c0c895bb91f9bc03f29; path=/; expires=Fri, 28-Jul-2023 21:15:13 GMT; secure; HttpOnly; SameSite=Lax`
Cookie:
`_ga=GA1.2.173371247.1691232864; _gid=GA1.2.1916219553.1612332864; _myapp_session=BAh7CkkiD3Nlc3Npb25aaZQGOgZFVEkiJTMxYzY3ODY3ODlmZjI1MTE5YzJjYTBjMTk4NWE5MDZhBjsAVEkiC2xvY2FsZQY7AEY6B3BsSSIZd2FyZGVuLnVzZXIudXNlci5rZXkGOwBIWwdbBmkCgQVJIiIkMmEkMTAkZFRqWHZVRGYwYS9GSVgyUUhveERKTwY7AFRJIhRzaG93X25ld3NfbW9kYWwGOwBGRkkiEF9jc3JmX3Rva2VuBjsARkkiMWIxOHdvUHJmQ0ljVkV1RmpXVXlscm0waTc4MXo0U2GaMDlqV045RHArdXM9BjsARg%3D%3D--61e9e2278d76f644442df9174a27f8667ccf016e; _ga_VKH9NH625Z=GS1.2.1663769319.2.1.1697520980.0.0.0`